Kelihos botnet brought to its knees

The Kelihos spamming botnet has been sidelined by using a filesharing mechanism to basically hijack it.

Kelihos spent its days distributing spam for dodgy Canadian pharmaceutical firms. When it was not peddling viagra it was pinching from bitcoin wallets.

CrowdStrike, the security firm that worked with Kaspersky, Dell SecureWorks, and Honeynet Project to bring down the botnet, reverse-engineered the malware code and wrote its own software to ask infected computers to communicate with servers controlled by researchers and coppers.

This stopped the computers from getting instructions for sending spam.

Within minutes, 110,000 infected machines were being sent to the researcher’s sinkhole.

Adam Meyers, director of intelligence at CrowdStrike, told CNET   it was cool being able to use an attribute of the botnet – the peer-to-peer networking – to bring it down.

The company injected its code into the botnet by sending it to infected computers that, in turn, sent it on to others in a viral distribution manner. Eventually the new code overtakes the network and the bad guys are run out of town.

Kelihos was created last October after Microsoft used a sinkhole to halt the original Kelihos botnet, which had infected about 41,000 computers. New Kelihos servers were registered in Sweden, Russia and Ukraine.

It has been abandoned by the gang who tried to operate it two days after the researchers began hijacking it, the company said.